Sennheiser Software Flaw Leaves Users Open to Hacking

You would not expect software for your headphones to seriously impair your computer’s security, but that’s exactly what Sennheiser managed to do. The desktop application for its headsets, called HeadSetup and HeadSetup Pro, included a botched root certificate, allowing anyone aware of the flaw to impersonate websites without detection. Sennheiser has issued a patch for the software, but it doesn’t seem to grasp the gravity of the screw-up.

The software, which runs on both Windows and Apple computers, is intended to help owners of the company’s headsets and speakerphones connect and use their devices. It does that, but it also included a root certificate with an exposed private key. Once installed, a system would trust a website with the matching certificate because Sennheiser stored the certificate in the operating system’s certificate store.

With that certificate installed, it’s trivially easy for an attacker to create a phishing website that looks like the real deal. As long as it uses the leaked private key from the Sennheiser program, your browser would report a legitimate website with HTTPS. The only way to tell something isn’t right is to check HTTPS certificate code, but virtually no one does that. At most, people look for the padlock in the address bar, which doesn’t mean anything in this case. Research firm Secorvo, which discovered the flaw, proved its point by building a fake Google website that looks legitimate to a compromised system.

Secorvo’s fake Google example.

Perhaps the worst aspect of Sennheiser’s error is that uninstalling HeadSetup won’t fix the vulnerability. Even after clearing all the software, the certificate remains in place and valid. The company has released a patch that replaces that certificate with one that doesn’t leak its private key, but there’s no way to force people to update or even to make sure they know there’s a problem.

The flaw has been compared with Lenovo’s Superfish bug, which affected PCs back in 2015. Superfish was a sketchy adware program bundled on Lenovo’s PCs, and like Sennheiser HeadSetup, it contained a flawed root certificate that allowed third-parties to spoof websites. That was arguably worse because the bug was preloaded on new PCs. There will be fewer systems affected by Sennheiser’s vulnerability, but the risk is very much the same for those with the bugged software.

Lenovo was eventually fined $3.5 million by the FTC over Superfish. Sennheiser might want to start setting some cash aside.